Determining where to protect and encrypt your digital assets in the SAN requires an understanding of the crucial vulnerabilities in the storage infrastructure and the potential types of threats that may arise. Data center administrators have been implementing encryption in different areas of the data center for years or they’ve been reluctant to implement encryption at all due to the many complexities involved. A major reason for not implementing encryption has been the fear of losing the key to decrypt their data. Additionally, there are numerous concerns as to “how” to encrypt information. So which is the best approach?
 
It is well known that FC SAN security is enforced through physical means by keeping the data secure within the walls of the data center and by providing network isolation. Consequently, protecting data in-flight through encryption in a Fibre Channel SAN is unnecessary and products being offered by some vendors are merely solutions in search of a problem. Some vendors claim there is a market that needs this level of security. However, anyone asking for this level of security needs to consider the following challenges:

1. Additional complexity and exposure of the data to more vulnerabilities (e.g. key management has to extend to all hosts)
2. Interoperability challenges with multi-vendor adapters that may or may not support on-board encryption or the same crypto algorithms. E.g. Disk drives encrypted by hardware on adapters can only be read by the same vendor’s adapters or proprietary solutions that created them. 

The bigger risk and what's really more attractive from a hacker's point of view is data-at-rest. Greater vulnerabilities reside on databases and file systems stored on NAS, SAN and file servers—that’s where the risk resides and so do your digital assets.
 
Thus encrypting as close as possible to the storage, ideally the disk drives, makes the most sense.  Encryption can occur in the storage subsystem controller or internally in the disk drives. Encryption in the storage subsystem controller addresses the same needs of encryption on self-encrypting drives and it protects for when disk drives are removed for repair or retired.
The right strategy in SAN data protection is to implement standards-based encryption of data-at-rest in the disk subsystem or on self-encrypting hard drives to maximize performance and flexibility.  It is important to note that data-at-rest encryption, when used in conjunction with physical SAN security and techniques such as Zoning/LUN masking, addresses all the major security risks that are faced by IT administrators today. Alternative approaches such as data-in-flight encryption pose implementation and interoperability challenges which negate pervasive adoption in next generation data centers.